You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by droy314 <de...@gmail.com> on 2014/09/04 20:14:27 UTC

Privilege checks across requests in distributed applications

Hi,
I've used Shiro a while back and I really think it is easy to use, but now
I've got an interesting problem. I'm hoping someone has done something
similar and would be able to help.

I've got a distributed application, each domain deployed separately. For
example, if it were an insurance system, think of policy administration,
claims services and billing deployed as separate EJB services (no UI). In
addition to the business domains, I also have a centralized security
services system which creates and maintains sessions for users. The roles
and permissions are managed in a custom database and I have an
AuthorizingRealm deployed with my security services EJB. I would also use a
EnterpriseCacheSessionDAO which is backed by EhCache in distributed mode.

In each of my business domain EJBs I would have an interceptor to verify if
the caller's session has the appropriate privileges to invoke the service. 
So, the general workflow would be.
1. UI applications create a session for the user. This is done by calling
the Security Service beans
2. UI applications call the business services based on user actions. This
has to validate permissions based on the session id from step (1)
3. UI applications invalidate the session when the user logs out.

I would like to have a lightweight jar that is bundled with each of the
domain deployables that uses a Shiro SecurityManager to lookup the roles and
permissions from the Cache. I do not want each business domain deployable
contacting the security database. Is this possible with Shiro?  I tried a
simple PoC using 2 SecurityManagers running in different thread (to simulate
different SecurityManagers in JVMs) but I do not know how the Realm for the
SecurityManager that does the permission check is supposed to work. I think
I need a way to lookup the session using a session Id along with the roles
and privileges for that user. Currently I get an error because the Realm is
not configured.

Thanks,
Deepu Roy




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Privilege-checks-across-requests-in-distributed-applications-tp7580188.html
Sent from the Shiro User mailing list archive at Nabble.com.